The Biden Administration continues to advance a multitude of technology and cybersecurity initiatives that will reset the way the U.S. government and professionals approach procurement in federal information technology (IT). This focus is welcome as cyber threats increasingly target digital government services. ITI continues to call on U.S. policymakers to prioritize and act on these critical issues, including those detailed in ITI’s 2022 Action Plan. Advancing cybersecurity objectives through the timely and consistent implementation of sound public policy and procurement reforms will have a positive impact on the cybersecurity posture of the United States. At the same time, it is important that the administration take a holistic look at its priorities, including supply chain risk and competitiveness, to make sure those efforts are implemented in ways that don't stand in the way of effective cybersecurity policy.
As the federal government moves forward, here are five policies that will shape IT procurement in 2022:
FISMA Reform. The Federal Information Security Management Act (FISMA) provides guidance on how federal agencies track and report on their cybersecurity posture. The IT landscape, however, has changed dramatically since the last update to FISMA in 2014. The biggest shortcomings are FISMA’s prioritization of compliance over outcomes, the lack of continuous and automated risk management processes, and the bias against authorization reuse across agencies. In January, ITI’s Gordon Bitko testified at a U.S. House Committee on Oversight and Reform hearing about a bill to reform and modernize FISMA. The House measure complements the U.S. Senate’s bill to modernize and improve some of the key issues with FISMA, which build on ITI’s FISMA 2021 reform principles. The House and Senate versions still take differing views on key topics, such as whether the authorities of a Federal Chief Information Security Officer (CISO) should align to Office of Management and Budget (OMB) or Cybersecurity and Infrastructure Security Agency (CISA). However, given strong bipartisan support, Congress seems poised to resolve these differences and advance the reform effort in 2022.
Incident Reporting Requirements for Federal Agencies and Contractors. Incident reporting will remain a priority throughout 2022. As part of its FISMA and FedRAMP legislation in Strengthening American Cybersecurity Act of 2022, Senators Gary Peters and Rob Portman recently repackaged its approach to incident reporting, which adopts many of the principles ITI advocated for in our first-of-their-kind U.S. and global principles on incident reporting. However, the need to establish standardized reporting procedures for cybersecurity incidents remains. For example, the Federal Acquisition Regulatory Council opened Case 2021-017 as directed by Section 2 of the Executive Order on Improving the Nation’s Cybersecurity. The case will produce standardized reporting requirements for federal contractors who experienced a covered cyber incident. ITI will advocate for alignment of these approaches to ensure a clear and consistent incident reporting regime across all federal agencies.
CMMC. The Department of Defense (DoD) continues to move forward with the implementation of its Cybersecurity Maturity Model Certification program (CMMC). In November 2021, the Department announced modifications to the underlying model, which addressed many of the issues ITI raised in a multi-association letter and engagement with DoD. Additional implementation details, like how the program will handle certification reciprocity, will be addressed in the regulatory process. For 2022, we expect to see modifications to the Department’s marking practices for controlled unclassified information (CUI) as well as the publication of two rules in the Federal Register. We will, again, participate in the regulatory process to ensure that DoD considers key stakeholder feedback.
Zero Trust. The National Institutes of Standards and Technology (NIST), OMB, and CISA have put out guidance regarding federal agencies’ migration to a zero trust environment. In January, the Biden Administration released OMB Memorandum M-22-09, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles as required by Section 3 of the Cyber EO. The administration views this strategy as a necessary first step and acknowledges that the federal government’s transition to a Zero Trust architecture won’t be quick or easy. ITI had provided feedback on a draft version of this strategy document which informed the final document. In 2022, CISA has yet to publish the final versions of the Zero Trust Maturity Model and Cloud Security Technical Reference Architecture. CISA, OMB, and NIST will need to work together to ensure a consistent application across federal civilian networks and national security systems.
Made in America. In 2022, the Made in America Office within OMB will continue to evaluate and implement policy changes related to the 2021 Executive Order on Ensuring the Future is Made in America by All of America’s Workers. ITI will continue to promote policies that take into account the realities of the global ICT supply chain, as well as the United States’ international trade obligations. ITI continues to spearhead the technology industry’s response to unprecedented domestic sourcing requirements in the Infrastructure Investment and Jobs Act (IIJA) and call on the government to address IIJA’s application of new domestic content requirements to grants to state and local governments that will significantly increase costs and delay or impede the execution of critical infrastructure projects nationwide. ITI recently led a multi-association letter encouraging the Biden Administration to adopt a targeted waiver for the commercial ICT products necessary to implement the IIJA and directly engaged the implementing agencies like the National Telecommunications and Information Administration (NTIA) and the Federal Highway Administration. These efforts continue ITI’s advocacy on domestic sourcing rules, including our technology-focused multi-association letter, individual proposed rule comments, and cross-industry multi-association proposed rule comment responding to proposed changes to Buy American Act (BAA) requirements for federal contractors.